Upstream has issued an advisory today (July 16): http://www.openwall.com/lists/oss-security/2015/07/16/3 The issue is fixed upstream in 2.4.4. Mageia 4 and Mageia 5 are also affected. Reproducible: Steps to Reproduce:
Version: 5 => CauldronWhiteboard: (none) => MGA5TOO, MGA4TOO
URL: (none) => http://lwn.net/Vulnerabilities/651766/
CC: (none) => geiger.david68210, pterjan
Patched packages uploaded for Mageia 4, Mageia 5, and Cauldron. Advisory: ======================== Updated groovy packages fix security vulnerability: When an application has Groovy on the classpath and that it uses standard Java serialization mechanim to communicate between servers, or to store local data, it is possible for an attacker to bake a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects are subject to this vulnerability (CVE-2015-3253). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3253 http://groovy-lang.org/security.html ======================== Updated packages in core/updates_testing: ======================== groovy-1.8.7-3.1.mga4 groovy-javadoc-1.8.7-3.1.mga4 groovy-1.8.9-5.1.mga5 groovy-lib-1.8.9-5.1.mga5 from SRPMS: groovy-1.8.7-3.1.mga4.src.rpm groovy-1.8.9-5.1.mga5.src.rpm
Version: Cauldron => 5Assignee: bugsquad => qa-bugsWhiteboard: MGA5TOO, MGA4TOO => MGA4TOO
CC: (none) => davidwhodginsWhiteboard: MGA4TOO => MGA4TOO advisory
Hi all, tested fine on MGA5-64-OK (Acer Core Due laptop): [shlomif@localhost ~]$ groovy -e 'print "Hi\n";' /usr/bin/build-classpath: Could not find jsp Java extension for this JVM /usr/bin/build-classpath: error: Some specified jars were not found Hi [shlomif@localhost ~]$ groovy -e 'for (int i in (1 .. 10)) { print i; print "\n"; }' /usr/bin/build-classpath: Could not find jsp Java extension for this JVM /usr/bin/build-classpath: error: Some specified jars were not found 1 2 3 4 5 6 7 8 9 10 [shlomif@localhost ~]$ cat 99_bottles.groovy # From Rosetta Code def bottles = { "${it==0 ? 'No more' : it} bottle${it==1 ? '' : 's' }" } 99.downto(1) { i -> print """ ${bottles(i)} of beer on the wall ${bottles(i)} of beer Take one down, pass it around ${bottles(i-1)} of beer on the wall """ } [shlomif@localhost ~]$ groovy 99_bottles.groovy | less [shlomif@localhost ~]$ rpm -q groovy groovy-1.8.9-5.1.mga5 [shlomif@localhost ~]$
CC: (none) => shlomifWhiteboard: MGA4TOO advisory => MGA4TOO advisory MGA5-64-OK
I'm going to try MGA4-32 next. Stay tuned. Regards, -- Shlomi Fish
Adding MGA4-32-OK because tested fine on a VBox VM.
Whiteboard: MGA4TOO advisory MGA5-64-OK => MGA4TOO advisory MGA5-64-OK MGA4-32-OK
Testing MGA4 x64 (OK) Great thanks to Shlomi for his tests in Comment 2. BEFORE: groovy-1.8.7-3.mga4 [Installing this pulled in 75 packages!] $ groovy -e 'print "Hi\n";' Hi $ groovy -e 'for (int i in (1 .. 10)) { print i; print "\n"; }' 1 ... 10 $ groovy 99_bottles.groovy [or redirect O/P to file, or pipe to less] 99 bottles of beer on the wall 99 bottles of beer Take one down, pass it around 98 bottles of beer on the wall ... 1 bottle of beer on the wall 1 bottle of beer Take one down, pass it around No more bottles of beer on the wall UPDATE to: groovy-1.8.7-3.1.mga4 The three tests produced identical ouput. So at least no reversion, OK.
CC: (none) => lewyssmithWhiteboard: MGA4TOO advisory MGA5-64-OK MGA4-32-OK => MGA4TOO advisory MGA5-64-OK MGA4-32-OK MGA4-64-OK
Tested on a Mageia 5 i586 VM. Works fine before and after the update. Marking as "MGA5-32-OK" and "has_procedure".
Whiteboard: MGA4TOO advisory MGA5-64-OK MGA4-32-OK MGA4-64-OK => MGA4TOO advisory MGA5-64-OK MGA4-32-OK MGA4-64-OK MGA5-32-OK has_procedure
Validating, please push to 4 & 5 core/updates. @ Shlomi: Feel free to validate it yourself once it has been tested on all platforms.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0296.html
Status: NEW => RESOLVEDResolution: (none) => FIXED